I added 3 questions and made them required and location by default is required but in all these new accounts, none of the four have anything in the fields.

  I tried to create an account leaving them blank and got rejected so it appears the form is working so I conclude that this is somehow an injection expoite. Any suggestions on preventing new account injections like this? They don't activate the account so spam isn't getting posted but the sig lines and urls are all over the registration info and I don't want to help these people out with getting thier google rankings up or any new traffic.

  

However, from version 10.03 onwards there is more security on the registration, due to a Microsoft forum that we host that came under fire from a bot that was clever enough to read CAPTCHA codes all the way up till they got so hard even a human could not read them.

Anyway the up shot of this is that version 10.03 adds a number of extra security features to the registration pages, including having to have JavaScript enabled in order to be able to register.

We are planning to remove the CAPTCHA altogether in the future from Web Wiz Forums as CAPTCHA no-longer offers protection from newer more sophisticated bots that have very clever OCR that is designed specifically to read CAPTCHA codes and are able to read all CAPTCHA codes from all popular CAPTCHA vendors. I've run tests with these and you have to make the CAPTCHA so distorted with so much noise that no-one can read them.

This means that web developers are having to use much more clever systems for defeating bots, which are included on the registration page, and these types of protection will be extended to other areas of Web Wiz Forums so that CAPTCHA can be removed altogether.

 

I think you are right, not an SWL injection. I had a "real" user register yesterday and I noticed in his profile, he didn't enter anything in the 3 required questions I added to the registration page.

  I have tried several time to register a test account without these fields and I get an error when I submit the form (as I should).  Not sure why some new user accounts (mostly spammer accounts) are getting through this proccess and actually getting entered into the database.

 

 

Good to know. I thought about the space and was going to test it and see if that would work as an answer to the questions.  Couldn't there be a validation question like whats 2+2 and have it check that the user enters 4? Ideally, the admin could make up a random list of say three questions and answers. If admins make them up themselves and makes them random, it might deter the bots as there would be a endless number of possible answers.

  One more question, why isn't the users IP address logged durring registration? New users never have an IP address unless the activate and log in. Is there a way to log the IP address durring registration? This would help build a Block IP address list of habitual abusers making junk accounts just to get their back links out there for the search engines. I also causes me to question if the block IP address is even effective in blocking those IP's from registering. I assume it would stop them from logging in but what about stoping the spam users accounts from even getting entered in the database?

Version 10 also records the registration/last login IP for members which can be viewed in their forum profile.

 

Bruce,

  I have logging set to True but I'm not seeing any log being generted. I left it set to default location till I make sure I'm getting log files but no joy. I'll watch it for a while and see if log start generating but as of now, I have no log files.

 Here's what my setup_options_inc looks like.